More than 30 states have legalized medical marijuana and more than 10 have legalized marijuana for recreational use, including Michigan in a 2018 ballot proposal. Marijuana retailers have significant issues to address as the industry and the rules governing it mature over time. Among those issues, retailers should not overlook data privacy and cybersecurity issues.
Retail sales of marijuana involve collecting several types of information with varying levels of sensitivity. At minimum, the data that retailers collect likely include the customer’s name, driver’s license information, contact information, and credit card data. A retailer’s legal risks relating to data privacy and security stem from compliance with state and federal laws and regulations, and litigation risks. We identify and discuss some of these issues below.
Compliance with Relevant Laws and Regulations
Regulatory risks are particularly prominent for marijuana retailers, who are already in regulators’ crosshairs due the marijuana industry’s controversial perception. Some states’ marijuana rules require retailers to store customer data and report that information to the state. Other states omit data retention and reporting requirements, leaving retailers to decide what information to retain. Michigan is still developing its rules in this regard, so retailers should keep a close eye on how the state’s rules evolve. Retailers should also be aware that states are actively passing, updating, and enforcing rules relating to data breaches, privacy, and security, which apply to businesses in the marijuana industry too.
On the federal level, some medical marijuana retailers may also be subject to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). A retailer is subject to HIPAA only if it is considered to be a "covered entity" under HIPAA.
HIPAA defines a covered entity to include a health care provider that transmits protected health information in electronic form in connection with certain covered transactions (such as billing a health insurance company, or determining whether an individual is covered by a health plan). A "health care provider" is defined broadly under HIPAA to include any person or organization that furnishes supplies related to the health of an individual.
If a medical marijuana retailer is a covered entity under HIPAA, then it must comply with HIPAA's privacy and security rules with regard to any protected health information ("PHI") that it creates, receives, or maintains. Retailers should take reasonable steps to ensure that PHI is maintained and transmitted in a secure manner, and to become familiar with HIPAA's restrictions on the use and disclosure of PHI by a covered entity.
In addition to regulatory risks, a marijuana retailer that falls victim to a data breach is at significant risk of a costly lawsuit. In fact, some marijuana databases throughout the country have already fallen victim to cyber attacks. For example, an incident affecting the State of Washington resulted in a leak that included tax records, social security numbers, driver’s licenses, and financial information. Similarly, the Nevada medical marijuana database was hacked in 2016 resulting in the online publication of over 11,000 retailers’ and employees’ names, social security numbers, addresses, and citizenship information. Although these attacks were on state-run databases, they highlight the vulnerability of private retailers as well. Attacks on marijuana related businesses are likely to increase as the overall number of cyber attacks increases. A similar incident affecting a private retailer would be very likely to result in a costly lawsuit.
The costs of a data breach are significant, including the cost of remediating the breach and notifying the victims, as well as reputational harm. The costs tend to increase significantly if litigation or regulatory action occurs. These costs are so significant that a breach could cause an unprepared marijuana retailer to close entirely.
To reduce the risks related to costly incidents, marijuana companies should address data privacy and security from the beginning. Companies should develop a comprehensive data privacy plan and incident response plan that complies with applicable laws and regulations. If you are concerned about protecting your business or company against a cyber attack, please contact a member of Foster Swift's cybersecurity team.